Bruce Schneier Shares Security Ideas at Museum

Bruce Schneier shared his ideas about the psychology of security, and the need for thinking sensibly about security, in his hometown last week when he gave a lecture at the Weisman Art Museum in the US.

Schneier's lecture was scheduled in conjunction with an exhibition of photographer Paul Shambroom's images of power (Shambroom's photographs capture scenes in industrial, business, community and military environments.) The association of Schneier's lecture with the photography exhibit says a lot about how the security guru's focus has evolved over the years from the bits and bytes of cryptography and computer security to include a more broad examination of personal safety, crime, corporate security and national security.

The theme of Schneier's talk was the "security theater," a term he uses to describe security measures that are designed to make people feel safer but don't necessarily do so.

"Security is really two different things. It's a feeling and it's a reality. And they're very different," he said. "You can feel secure even though you're not, and you can be secure even though you don't feel it."

One example of security theater he gave is tamper-resistant caps for over-the-counter medicines, which were introduced in the wake of Tylenol-tampering incidents in the 1980s. As a means of preventing tampering, the packaging is more security theater than an effective countermeasure: Someone intent on tampering with the contents could use a syringe, for example, Schneier said.

Security theater can be dangerous because it takes money, time and attention away from genuine security efforts that are aimed at directing effective countermeasures at real risks. But security theater isn't all bad, Schneier said. In some cases, security theater used to allay fears that are out of whack with reality can be a good thing.

For example, as a means of making consumers feel more secure about buying nonprescription drugs (which mathematically are at minimal risk of being tampered with), the tamper-proof packaging served to bring people's feelings about security more in line with reality, he said.

Another example Schneier gave is the use of National Guard troops in airports following the 9/11 terrorist attacks. The troops had no bullets in their guns, making them fairly ineffective as a security countermeasure. But their presence helped make people less afraid to fly, which was important at the time.

Schneier talked a lot about aligning the feeling of security with the mathematical reality of security.

"If the feeling [of security] is greater than the reality, we have a false sense of security. If the reality is greater than the fear, then we have a false sense of insecurity, in extreme cases you could call it paranoia . . . or irrational fear," he said.

Convergence will occur naturally as people become more informed -- and populate their "cognitive model" with factual information about actual risks and effective countermeasures. Of course, Schneier reminded the audience, it's not that simple since the public is exposed to skewed data depending on the agendas of those providing information, whether it's the media reporting sensational stories, politicians looking to secure their own careers, vendors looking to sell their products and so on.

Having an agenda doesn't make someone malicious, but it illustrates the fact that security trade-offs -- what someone is willing to risk vs. invest -- are personal, Schneier said. "Different stakeholders will evaluate security trade-offs differently, and that makes sense," he said.

"Very often security trade-offs are made for nonsecurity reasons," he added, citing as an example news that broke this week that the United States is outsourcing the printing of passports to a company in Thailand. "From a security perspective it's a really dumb idea -- but think of the savings," he quipped.

Following his talk, the standing-room-only crowd peppered Schneier with questions about surveillance cameras ("At best cameras seem to move crime around," he said), electronic voting systems ("Even if there is no manipulation, if there is the perception of, the likelihood of, the chance of, or the belief of manipulation, then the acceptance of the accuracy of the election is suddenly a problem."), global warming and more.

One attendee voiced that he agreed with nearly everything Schneier said -- which the attendee said made him profoundly pessimistic when thinking about the agendas of today's society.

Schneier responded by saying there's cause for optimism: "I'm not a pessimist -- even though I have all the information that I just shared with you -- because in general the system works, the system does tend to converge on reality," he said. Society has a history of managing new risks, getting used to new a technology and normalizing it, he said. But it takes time.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.

About Bruce Schneier

I am a public-interest technologist, working at the intersection of security, technology, and people. I've been writing about security issues on my blog since 2004, and in my monthly newsletter since 1998. I'm a Special Advisor to IBM Security, a fellow and lecturer at Harvard's Kennedy School, and a board member of EFF. This personal website expresses the opinions of none of those organizations.